|
Risk Management & Strategy.
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Risk Management & Strategy.
|
Risk Management & Strategy.
The Company uses an enterprise risk management and financial framework to oversee its risks, including risks from cybersecurity incidents, as further described below. The Company’s information technology & cybersecurity risk management is a continuous process that includes identification, assessment, classification, and management of threats that could adversely impact our ability to maintain the integrity of Bank data and systems, prevent unauthorized access to confidential data and Bank systems, and achieve the Company’s operational, financial, reputational, legal and regulatory compliance requirements or objectives. Please see Item 1A. Risk Factors – Risks Related to Cybersecurity and Data Privacy – “We Face Cybersecurity Risks and Risks Associated With Security Breaches Which Have the Potential to Disrupt Our Operations, Cause Material Harm to Our Financial Condition, Result in Misappropriation of Assets, Compromise Confidential Information and/or Damage Our Business Relationships and Can Provide No Assurance That the Steps We and Our Service Providers Take in Response to These Risks Will Be Effective” for our disclosures regarding the most pertinent risks we may experience from cybersecurity threats.
The Bank has a management-level Strategic Technology Oversight Committee (the “TOC”). Members of the TOC include the Bank’s Information Security Officer (the “ISO”), the Chief Information Officer as well as representatives of each department, including Senior Officers and/or their designees. The TOC reviews the status of various tactical and strategic projects; emerging technologies; cybersecurity, availability and performance metrics; IT and Business Continuity policies; Business Continuity test results and IT & Cybersecurity Risk Assessment results to monitor the extent of risk, evaluate the effectiveness of mitigating controls in place and ensure the level of risk remains within tolerance through acceptance, or further mitigation, transfer or elimination of the risk.
Additionally, the Bank has an ISO Metrics Oversight Committee (the “ISO Metrics Committee”) which meets on a monthly basis with a focus on cybersecurity. Members of the ISO Metrics Committee include the ISO, the Chief Information Officer, the Chief Risk Officer, as well as members of the information technology team involved with cybersecurity and infrastructure. The function of the ISO Metrics Committee is to review monthly cybersecurity metrics to support discussion of cyber threats, cyber risk trends, and risk mitigation as well as to participate in an annual tabletop business disruption exercise to assess the Bank’s resilience and readiness should such an event occur.
All employees participate in cybersecurity and social engineering training. The Board also receives formal training annually. The Bank conducts social engineering tests for employees, such as phishing tests, throughout the year. We consider employee awareness and training to be a critical component of the Bank’s cybersecurity program.
Third-party relationships, including vendor relationships, can offer the Bank a variety of opportunities to enhance its product and servicing offerings along with facilitating operational functions or business activities. Outsourcing processes or functions does not diminish the Bank’s responsibility to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws, regulations, and internal policies. Oversight for the potential risks of third-party relationships lies with the Bank’s management and the Board.
The Bank maintains a third-party risk management oversight program to effectively assess, measure, monitor and control the risks associated with vendor relationships. The Bank manages its third-party relationships through the use of informed risk assessments, due-diligence reviews, and ongoing oversight and monitoring. Information security and cybersecurity risks are included as elements in the third-party risk management process and are assessed for vendor relationships with access to confidential Bank or customer data.
The Bank uses industry standard assessment frameworks as part of its overall cybersecurity risk assessment. Industry standard assessment frameworks are used to evaluate the effectiveness of the Bank’s mitigating controls and support initiatives to achieve continuous improvements in the efficacy of the control environment. The Bank’s TOC and Enterprise Risk Management framework provide ongoing oversight and governance of technology and cybersecurity risk management activities to ensure alignment with the Bank’s risk appetite. Independent audits are performed periodically to review the Bank’s mitigating controls as well as to conduct penetration testing of the Bank’s internal and external systems to help assess the effectiveness of the Bank’s security controls. Additionally, on an annual basis, an independent auditor tests our employees’ awareness of and resilience to various social engineering tactics to provide independent verification and to augment the Bank’s internal testing. Results of the audits are reported through the Bank’s Audit Committee, and ultimately to the Bank’s Board.
The Bank also has a relationship with a third-party Security Operations Center that provides continuous monitoring of all traffic in our environment for anomalies as well as services, as needed, to assist in conducting forensic analysis, correlation and remediation activities for any potential indications of compromise.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef